Typically, Microsoft only releases security updates for unsupported Windows systems when there's a so-called "custom support" agreement in place. A custom agreement is a fairly costly option that's purchased mostly by large organizations. An "unsupported" operating system is one that has lapsed beyond Microsoft's 10-year product support policy. However, Microsoft made an exception this month for unsupported Windows OSes because of the flaws that had surfaced with May's "WannaCrypt" (a.k.a. "WannaCry") ransomware outbreak.

"Due to the elevated risk for destructive cyber attacks at this time, we made the decision to take this action because applying these updates provides further protection against potential attacks with characteristics similar to WannaCrypt," explained Adrienne Hall, general manager at Microsoft's Cyber Defense Operations Center, in an announcement.

Windows Update Users Protected
Microsoft's notices about the elevated risks this month are mainly directed to organizations using patch management systems. Users of Windows 10 or Windows 8.1 that have Windows Update turned on, such as consumers, don't need to take further actions to be protected, according to the announcement.

However, protection may not be automatic for users of unsupported Windows systems, such as Windows XP. In those cases, the updates must be downloaded from the Microsoft Download Center or the Microsoft Update Catalog and then installed:

"We are committed to ensuring our customers are protected against these potential attacks and we recommend those on older platforms, such as Windows XP, prioritize downloading and applying these critical updates, which can be found in the Download Center (or alternatively in the Update Catalog)," explained Eric Doerr, general manager at the Microsoft Security Response Center, in a TechNet article.

Microsoft's Policy Change
The main problem with the WannaCry outbreak was that the ransomware had used purported U.S. National Security Agency attack code to spread itself through networks. The initial attack affected organizations such as the U.K.'s National Health Service hospital networks, for instance. Microsoft released a March security patch (MS17-010) to address the targeted Server Message Block 1 flaw in Windows systems, but that release was also somewhat unprecedented in that it also applied to older systems, such as Windows XP.

Microsoft doesn't want its exceptional patch support for unsupported Windows systems this month and the last to be construed as some kind of change to its product support policies, though.

"Our decision today to release these security updates for platforms not in extended support should not be viewed as a departure from our standard servicing policies," Doerr stated. "Based on an assessment of the current threat landscape by our security engineers, we made the decision to make updates available more broadly."

Chris Goettl, product manager at Ivanti, echoed the point.

"For those on outdated platforms, this [policy change by Microsoft] should not be construed as the new norm," Goettl said, in a released statement via e-mail. "In fact, this should reinforce the need to migrate off these legacy platforms as soon as possible to avoid future risk."

Guidance on Heightened Risks
Microsoft this week published specific guidance on what constitutes heightened risks for organizations. It lists 14 "critical" bulletins and one "important" bulletin in which various remote code execution flaws are addressed.

On top of the patches specifically aimed at addressing heightened risks, Microsoft had a regular Patch Tuesday release. It was, though, somewhat of a large one. The June security update contains "a total of 94 vulnerabilities being resolved across 12 updates," according to Goettl.

Microsoft publishes its security updates at its Security Center portal here. The portal now has a download button that will open the month's security updates into a single Excel file, perhaps easing review. Microsoft also recently published a PowerShell script that can be used to count vulnerabilities in monthly security updates, as described in this blog post.